Key Points

  • Japan is one of the handful of countries that has been found adequate for its data protection regime from the perspective of the European Union (EU). At the same time, Japan has concluded a trade agreement with the United States of America (US), which leaves little room for restrictions on data flows to the US. This raises the question on how Japanese data protection law manages to be on the one hand compatible with EU standards while on the other supporting almost restriction-less data flows to the US.

  • This article argues that the Japanese approach to personal data transfers is caught in the middle between the EU and the US, resulting in partly contradictory legal provisions. Japan has not managed to appropriately reconcile within its legal rules the differing demands of the EU and the US. Nevertheless, the Japanese attempt is notable. In a world where a global agreement on data transfers seems for many reasons out of reach, allowing different regimes to apply in parallel depending on the country at issue might be a realistic way forward even though it means living with a certain level of complexity and fragmentation.

  • The central contribution of this article is to offer a new perspective on the question of international data transfers from a legal system that has not dominated the discussions on the matter and therefore, like many other nations that are not within the EU or the US, has to reconcile differing external demands for data flows within its legal system.

Introduction

Japan is one of the handful of countries that has been found adequate for its personal data protection regime from the perspective of the European Union (EU), allowing personal data to be transferred from the EU to Japan without further constraints.1 At the same time, however, Japan has concluded several international trade agreements,2 including one with the United States of America (US),3 that only allow for very limited restrictions on data flows, including flows involving personal data.4 Therefore, Japanese data protection law is trying to bridge the two very differing approaches from the EU and the US.5 The EU is mandated by its own Court of Justice (CJEU) to understand data transfers as a question of ensuring the continuity of the fundamental rights protection of its residents.6 The US, on the other hand, views international data flows as being crucial for international trade and economic growth.7 Japanese data protection law seems to have room for both, although as pointed out by a project of the Digital Free Trade Alliance, for example, there are indications of a conflict between its trade agreements and its adequacy commitments to the EU.8

Within this article, we explore the question of how Japan navigates the differing demands made on its legal system for international personal data transfers. Previous research already suggests that the Japanese approach to data transfers is currently struggling with certain contradictions, especially relating to its trade commitments.9 In our research, we dig deeper into the friction points between Japanese data protection law and the at times contradictory demands placed on its rules by both the EU and the US. Doing so, we not only focus on the details of the Japanese data protection approach for data transfers but also assess whether it bears some grains for a pragmatic solution to handling differing objectives for regulating data flows. With its analysis from a Japanese perspective, this article addresses a gap in academic literature, which has considered the subject of international data flows predominantly from a global,10 EU,11 or US12 viewpoint.

This article approaches the research questions in five analytical steps. The first section summarizes the Japanese approach towards international personal data flows. The second section introduces how Japan has found an accommodation for international personal data transfers with the EU, whereas the third section analyses its commitments for more data flows with the US. The fourth section then assesses both the conflicts and the opportunities apparent in the Japanese approach. In our concluding section, we reflect especially on these opportunities and propose to embrace complexity and fragmentation as a feature not a bug for international data flows.

Japan’s approach to personal data transfers

Japanese data protection law is multi-tiered. The main provisions for international personal data flows are found in the Act on the Protection of Personal Information (APPI).13 The APPI replaced in 2015 the previous data protection regime with the aim of achieving adequacy from the EU.14 While the APPI has already undergone two reforms since the EU’s adequacy decision,15 its rules on data transfers remained in essence unchanged.16

Introduction to Japanese data protection law

The content of Japanese data protection law is shaped by subordinate ‘rules and norms’ that exist in different layers. See Figure 1 for a visualization.

The multi-tiered structure of Japanese data protection law.
Figure 1.

The multi-tiered structure of Japanese data protection law.

The Constitution of Japan (Constitution) sits at the bottom layer, as the foundation for Japanese data protection law.17 Similar to the Constitution of the US, the word ‘right to privacy’ does not appear in the Constitution of Japan. Nevertheless, various judgments confirm that the right to privacy derives from Articles of the Constitution, namely Article 13, Article 21(2), and Article 35. 18

  • Article 13 comprises two clauses.19 While the first clause prescribes the principle of respect for individuals and public welfare, the second clause stipulates the right to the pursuit of happiness, which is understood to be the source of privacy rights, including the right of publicity and the right to reputation.

  • Article 21(2) provides protections for, inter alia, secrecy of correspondence.20 To ensure the effectiveness of this protection, the Telecommunications Business Act requires telecommunications carriers to protect the secrecy of communications and prescribes criminal sanctions for violations.21 In terms of the scope of secrecy of communications, a district court has held that ‘secrecy of communication’ includes: (i) the name, address, and telephone number of the parties to the communication; (ii) places where the communication took place; as well as (iii) the date, time, and frequency of the communication, in addition to the content of communication.22

  • Article 35 is a provision that is similar to, for example, the Fourth Amendment of the US Constitution, which provides protection from searches and seizure unless a warrant is duly executed.23 In 2017, for example, the Supreme Court (Grand Bench) held that the use of a GPS device by law enforcement to track the location of suspected individuals constitutes search and seizure under criminal law, and therefore a search and seizure warrant must be executed in order to use such a device.24

At the second layer, there is the APPI. After the Constitution of Japan, the APPI as well as other laws or acts are at the highest position in the Japanese legal hierarchy. The Diet—the legislative assembly of Japan—is the only body that has the power to enact or amend acts. Restricting individuals’ rights or imposing obligations on individuals can only be done through laws.

The third layer is the Cabinet Order to Enforce the Act on the Protection of Personal Information (‘Cabinet Order’).25 Article 73 of the Constitution of Japan authorizes the Cabinet, the executive branch of the government, to issue cabinet orders. The scope of cabinet orders is limited to matters delegated by relevant law. Unless delegated by law, cabinet orders cannot restrict rights or impose duties. For the APPI, the adopted Cabinet Order provides the relevant details. For example, Article 2(2) of the APPI states, ‘Individual identification code in this Act means one prescribed by Cabinet Order which consists of any character, letter, number, symbol or other codes falling under any of the following items…’ Following this, Article 1 of the Cabinet Order enumerates types of information that are considered to be a ‘individual identification code’. These are, inter alia, base sequence constituting DNA taken from a cell; appearance decided by facial bone structure and skin colour as well as the position and shape of eyes, nose, mouth, or other facial elements; a linear pattern formed by an iris’ surface undulation; and the like.

At the fourth layer, there are two rules: (i) Enforcement Rules for the Act on the Protection of Personal Information (Enforcement Rules)26 and (ii) Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU and the UK based on an Adequacy Decision (Supplementary Rules).27 These are often translated as Enforcement Order, or Ministerial Order as they are made by a minister.28 Technically, enforcement orders are inferior to cabinet orders.

At the fifth layer, there are multiple guidelines and other forms of documents that are also part of Japanese data protection law. There are five volumes of guidelines, namely on: (i) General Rules29; (ii) Provision to Third Parties in Foreign Countries30; (iii) Checking and Recording Obligation at the Time of Provision31; (iv) Pseudonymized Personal Information and Anonymized Personal Information32; and (v) Certified Personal Information Protection Organizations.33 Finally, there is a document entitled Q&A concerning the Guidelines for the Act on the Protection of Personal Information.34

The legal nature of all the different layers is not always easy to determine. Questions such as, what the legal characteristics of non-legislative norms (in general as well as these in particular) are, whether they are legally binding, or what the legal effects produced by them are, are therefore not straightforward to answer.35 For the purpose of this article, we consider that all of these constitute the contour of Japanese data protection law.

The Personal Information Protection Commission (PPC), the privacy regulator of Japan, is established by Articles 130–145 of the APPI. Articles 146–152 stipulates its supervisory power on Businesses Handling Personal Information (or ‘operators’). Article 146 grants the PPC with its inspection powers.36 To the extent necessary to fulfil its duties and functions, the PPC can: (i) require an operator to provide necessary and relevant information or material; (ii) have its officials enter a business office or other necessary place; (iii) inquire about the handling of personal or other related information; (iv) inspect a book, document, or other item.37 This inspection power, however, is not to be understood as conferring the competence to conduct a criminal investigation.38

Articles 147 and 148 APPI set forth various measures that the PPC can take when the Act is violated by operators. The PPC can make ‘recommendations’ when designated provisions39 are violated, and if the PPC deems it is necessary to protect the rights and interests of individuals. The PPC can also issue ‘orders’ when an operator has received a ‘recommendation’ but has not taken an action in line with the recommendation without legitimate grounds, and if the PPC finds that ‘a serious infringement of individual rights and interests is impending’.40 Article 148(3) APPI sets forth the conditions when the PPC can issue what can be translated as ‘urgent orders’, which do not require a recommendation to be made in advance. An urgent order can be issued when: (i) an operator violates designated provisions and (ii) the PPC finds that ‘there is a need to take urgent measures because there is a fact that seriously prejudices individual rights and interests’.41

Chapter VIII APPI sets forth criminal sanctions for various violations. For example, when a person does not comply with an order42 or an urgent order,43 then the persons can face imprisonment for not more than one year or a fine of not more than 1,000,000 JPY.

International data transfer under Japanese data protection law

The APPI 2021 introduces four ways for personal data to be transferred from Japan to a third country. These ways are in a rule-exception relation, with the first way (consent) forming the rule, and the others its exception. See for a visualization Figure 2.

The system for data transfers in the APPI.
Figure 2.

The system for data transfers in the APPI.

Generally, when operators44 wish to provide personal data45 to a third party in a foreign country, they must obtain prior consent of the data subject.46 The consent can be obtained only after the operator offers specific information to the data subject. The types of information required by the APPI are: (i) the data protection system of the foreign country; (ii) the measures the third party takes for protecting personal information; and (iii) other information that serves as a reference for the data subject.47 The Enforcement Rules provide more details. In addition to ways how the information should be provided,48 it requires: (i) the name of the foreign country; (ii) information about the data protection regime of the foreign country; and (iii) data protection measures taken by the third party.49

There are three exceptions to this general rule: (i) the foreign country, in which the third party is established, is found to be ‘adequate’ by the PPC; (ii) the third party is taking ‘equivalent measures’ that meet the standard of data protection prescribed by the PPC50; or (iii) the legal ground for the operator to provide personal data falls within one of the cases enumerated in the Act.51

The first exception is further detailed in the Enforcement Rules, which stipulates the conditions that the foreign country should meet in order to be found ‘adequate’ by the PPC.52 As of 23 January 2019, 30 European Economic Area (‘EEA’) countries and the United Kingdom (UK), a former EEA member, have been found ‘adequate’ by the PPC.53 The adequacy findings for the EEA countries have been re-evaluated and re-confirmed in 2023 as part of a mutual adequacy re-assessment with the EU.54

The second exception is explained in Article 28(1) of the APPI, which excludes certain entities from the definition of ‘third party’. If an entity is taking measures (also referred to as ‘equivalent measures’55) that meet the standard prescribed in the Enforcement Rules, the entity is not a ‘third party’ for the purpose of this article. The Enforcement Rules provide two avenues to meet this standard.56 First, both entities—the operator in Japan providing personal data and the entity in a foreign country receiving personal data—must ensure the implementation of ‘equivalent measures’ to fulfil the obligations set forth in section 2 of Chapter 4 of the APPI (ie, from Articles 17 to 40) by appropriate and reasonable means.57 These are general obligations and principles under the APPI that apply to operators. The Guidelines explain that ensuring compliance by contract or a company’s by-law can be an appropriate and reasonable means.58 The Guidelines also explain that the standard is met if the operator providing personal data has been certified under the APEC CBPR System.59 Secondly, the standard is met if the entity receiving personal data has earned a certification under an internationally established framework concerning protection of personal data.60 The Guidelines explain that the standard is met if the entity in a foreign country receiving personal data has been certified under the APEC CBPR System.61

When the operator provided the personal data relying on the second exception, then Article 28(3) reaffirms their obligation to continously ensure that the received party in a foreign country complies with its obligations. The Enforcement Rules provide further details as to what the providing operator must do.62 First, it must periodically,63 by appropriate and reasonable means, check: (i) if the receiving party is complying with its obligations64; and (ii) whether or not there is a system or institution in the foreign country that may affect the receiving party to comply with its obligations, and the details of such system or institution if any.65 Second, the providing operator must: (i) take necessary and appropriate measures if there is anything affecting the implementation of equivalent measure; and (ii) cease to provide personal data if ensuring the implementation of equivalent measure becomes difficult.66

The third exception comes into play when one of the seven ‘derogations’ of Article 27(1) APPI applies to the transfer. These cases concern, inter alia, (i) cases based on Japanese laws and regulations; (ii) cases in which there is a need to protect the life, wellbeing, or property of an individual, and it is difficult to obtain the consent of the data subject; (iii) and cases in which there is a special need to improve public well-being or promote healthy child development, and it is difficult to obtain the consent of the data subject. 67

One special feature of Japanese data protection law are the detailed record-keeping obligations for both parties, meaning the one providing personal data and the one receiving them.68 When a party provides or receives personal data, including in the context of an international personal data transfer, it must keep certain records. Article 29 of the APPI requires the party providing the personal data to make records of: (i) the date of the data sharing; (ii) the name of the (third party) receiving the data; as well as (iii) other matters stipulated by the Enforcement Rules, for example, whose personal data was provided, and what kind of personal data was provided. Article 30 of the APPI requires receiving parties to confirm or check how the personal data was acquired by the providing party, along with the identity of the providing party.69 An entire volume of PPC guidance70 is devoted to this Checking-and-Record-Keeping Rule. The Guidelines explain that the receiving party can be found in violation of the APPI if, for example, there were reasons to suspect that the providing party has acquired the personal data in violation of Article 20(1) (a rule requiring operators to not acquire personal data by deceipt or other improper means) but, nevertheless, received the personal data.71

The different layers of data protection law in Japan increase the complexity but also the available level of detail for the Japanese approach towards international personal data transfers. Reading the APPI alone will never be sufficient to comprehend the applicable rules for transfers, one really needs to consider also the other layers, in particular, the Enforcement Rules and the PPC Guidance. These additional documents provide, however, much more detail than a traditional legislation would, assisting operators in their compliance with the different requirements.

Personal data transfers from Japan to the EU

Japan has found a number of countries to have equivalent levels of protection to that provided by the APPI 2021. Among them are all the countries of the EEA,72 which were found adequate by Japan at the same time as the EU found Japan adequate under its adequacy decision system.73 In addition, Japan has found the UK’s system equivalent.74 As reported by the European Commission in its review of the adequacy framework for Japan, the PPC is currently not working on any further equivalency findings.75

With the EEA being adequate, transfers from Japan to the EU can take place without the need for consent or one of the other specific transfer measures described in the previous section. At the same time, due to the fact that Japan enjoys an adequacy decision from the EU’s perspective, personal data can also principally flow freely from the EU to Japan, at least to those Japanese importers that are in the scope of the adequacy decision.76 This presents a first important limitation. For the moment, the adequacy decision is only applicable to the private sector in Japan; the public sector being explicitly excluded.77 In April 2023, the European Commission and the PPC announced that they have started ‘exploring’ whether to expand the scope of the adequacy decision to the Japanese public sector, which following the latest APPI reform was now also within the scope of the APPI.78

The Japanese data protection system is multi-layered with some rather unique features, such as the existence of additional rules to explain the main data protection requirements, as highlighted in the previous section. It is very different from the data protection system set up by the General Data Protection Regulation (GDPR) for the EU context. Against this background, it is perhaps unsurprising that the European Commission struggled in finding Japan adequate based on the APPI in its implementation of 2017 alone. Some differences regarding (i) the substantive level of protection, eg, the level of protection provided for data transfers and (ii) the safeguards in case of governmental access to the EU data by Japanese public authorities were apparently too substantial for the European Commission to consider Japan adequate.79 The Commission therefore based its adequacy finding not solely on the APPI but on two additional ‘documents’ that were then added as Annexes to the decision.80 These two documents encompass on the one hand the Supplementary Rules by the PPC to heighten the substantive level of protection (which were discussed already in the previous section), and on the other, assurances by the Japanese government for instances of governmental access.81 The additional documents have the odd effect that in practice personal data coming from the EU is subject to stricter requirements than personal data originating from Japan. In other words, Japanese operators apply different rules to EU personal data than to Japanese personal data.82

Data transfers between the EU and Japan depend on the two ‘mutual’ adequacy decisions. In April of 2023, representatives of both sides confirmed the continuing adequacy of the other.83 Nevertheless, from the perspective of the EU, concerns have been voiced on whether the Japanese data protection system is truly essentially equivalent.84 In its assessment of the Japanese onward transfer regime, meaning the regime that applies to EU personal data being internationally transferred by a Japanese operator to recipients outside of Japan, both at the time of the adequacy finding and at the 2023 re-evaluation, the European Commission has continuously turned a blind eye to two crucial details. First, the APPI was never by itself sufficient for adequacy from the EU. It had to be supplemented by the Supplementary Rules and specific guarantees for governmental access, as explained above. The different options for onward transfers only guarantee a level of protection similar to the APPI, leaving out the additional protective layer of the Supplementary Rules and the guarantees for governmental access. 85 Secondly, the APPI has more options for transfers than the three listed in the Supplementary Measures. As explained in the previous section, the APPI also foresees a number of ‘derogations’, which can justify a data transfer, such as for example if there are laws and regulations authorizing it.86 The European Commission has failed to assess either in the original adequacy decision or in the recent review how these derogations interact with personal data originating from the EU and whether their use can still ensure the essentially equivalent level of protection for individual’s fundamental rights required by the GDPR and the EU Charter.87

While it is outside of the scope of this article to assess whether the Japanese data protection system actually achieves the adequacy status from the perspective of EU law, the problems with onward transfers detailed in this section can justify doubts on the validity of the EU’s adequacy assessment for Japan. This will turn into a serious problem if the adequacy decision is ever challenged in front of EU courts or the data protection authorities, in particular if such a challenge escalates in a referral to the CJEU, who has a track record of being very strict on the level of protection required from the perspective of the EU Charter for personal data to be transferred.88

Personal data transfers from Japan to the US

The EU is not the only destination for data transfers from Japan. Rather, many Japanese data transfers head towards the US (including data transfers of data received from the EU).89 From a data protection law perspective, data transfers from Japan to the US take place based on the ordinary rules laid down in the APPI that were discussed in first section. Since there is no adequacy decision by the PPC for the US, such transfers would have to be based on informed consent, ‘equivalent measures’ or one of the derogations of Article 27 APPI.90

If a transfer from Japan to the US is based on informed consent, this would require a set of specific information for the data subject, including information about where the transfer is going and what sort of measures would be in place to ensure its protection.91 There are no known issues with fulfilling these requirements for the US.

If the transfer of personal data from Japan to the US is based on ‘equivalent measures’, the newly introduced obligations regarding the ensuring of the level of protection might require some careful attention.92 These new obligations require operators to consider whether anything in the destination of the data transfer could affect the level of protection provided by the equivalent measures. One example provided by the PPC is the case where ‘a system makes it possible for a government to extensively collect information regarding personal information held by a business operator by the government imposing a duty of extensive cooperation in information collection activities on the business operator’.93

This makes the Japanese standard for equivalent measures similar to the one required by the GDPR for transfers based on appropriate safeguards, such as standard contractual clauses (SCCs).94 The GDPR standard is a consequence of the case law of the CJEU, where the court confirmed that EU data exporters have to ensure that any appropriate safeguard they are using is not undermined in its protection by laws and practices in the country of the data importer.95 As the CJEU has criticized from an EU perspective, access to personal data in the US by national security agency is rather widespread and therefore not limited to what is strictly necessary and proportionate from the perspective of EU fundamental rights.96 It is not clear how the US regime for governmental access would be viewed from the perspective of the APPI.

An interesting question hereby is in particular whether the Executive Order adopted by the US in October 2022 to achieve a(nother) positive adequacy decision from the EU could have a positive impact for transfers from Japan.97 The Executive Order lays down safeguards that to ensure that all governmental access to personal data from third countries by US intelligence agencies stays limited to what is necessary and proportionate.98 These safeguards also include legal remedies for individuals to request a review of the access by a so-called Data Protection Review Court.99 The US adopted the Executive Order in order to achieve a new (third) adequacy decision from the EU for its self-certification scheme—now renamed ‘Data Privacy Framework’ (DPF).100

The Executive Order’s scope is not limited to transfers between the EU and the US but rather appears open for all transfers to all third countries as long as its conditions for application are fulfilled.101 These conditions are (i) a designation by the US Attorney General as a qualifying state, (ii) that commercial transfers are possible between the US and the country in question, and that (iii) the transfer advances the national interests of the US.102 It is not known whether Japan has done any attempts to be qualified for the Executive Order and whether even without an equivalency decision for the US, commercial transfers would be enabled.103

Other conditions for equivalent measures do not appear to pose big obstacles for transfers from Japan to the US. The PPC advises to assess the existence of ‘equivalent measures’ based on compliance with international frameworks on personal data protection,104 such as the OECD Privacy Principles105 or the APEC Privacy Framework,106 which are rather flexible in their implementations, the US should qualify as a system for which measures can be put in place. The PPC has published assessments of a number of third countries on their website, which is supposed to help operators analyse whether the conditions for equivalent measures can be met. 107 The PPC takes no responsibility for the provided information, indicating that referring to it would not exempt an operator from accountability if the information was incorrect.108 For the US, the published assessment notes the signing up to the APEC CBPR system and compliance with the eight OECD Guidelines principles, suggesting that equivalent measures for the US should be possible.109

In its guidance, the PPC notes in several places that the APEC CBPR system can be a means to comply with the Japanese data transfer rules.110 The APEC CBPR system is a self-certification system based on the principle of accountability.111 Its main weakness, at least from an EU perspective, is that it lacks tools to make it binding and thus operates essentially on a voluntary basis.112 The European Commission in its 2023 review of the Japan adequacy decision explicitly underlines that the APEC framework does not guarantee the necessary level of protection for personal data coming from the EU, in particular because it does not result in binding commitments on the level of protection.113 Both Japan and the US are adopters of the APEC CBPR system, and are also involved in an initiative to broaden their applicability ‘globally’ thus beyond the APEC States.114 The APEC CBPR system appears therefore a prime option for transfers between Japan and the US. Whether this is the case in practice can be doubted, however, as only three Japanese companies have so far finalized their certification under APEC CBPR.115

Outside the realms of data protection law, Japan has concluded a digital trade agreement (DTA) with the US, which also includes rules on the free flow of data among its provisions.116 Concretely, the agreement provides that ‘neither party shall prohibit or restrict the cross-border transfer of information including personal information, by electronic means, if this activity is for the conduct of the business of the covered person’.117 Personal information is defined in the DTA as ‘any information, including data, about an identified or identifiable person’,118 which means that the free flow clause applies to international transfers for personal data.119 According to Yakovleva, the free flow provision essentially requires ‘that cross-border transfers of information must be unrestricted’.120

Based on the DTA, it appears that Japan cannot restrict the flow of personal data to the US if such flows are made in a business context.121 This raises two questions in relation to the compatibility of the transfer rules of the APPI with the DTA. First, one can wonder whether the general system for transfers laid down in the APPI would be considered a restriction for the DTA. For this, it is also of relevance to ask whether if transfer rules pose a restriction, they could be justified under the exception to the DTA for ‘legitimate public policy’ objectives.122 Secondly, even if the APPI regime itself is not a restriction or a restriction that can be justified under one of the exceptions to the DTA, it can be questioned whether the specific regime for EU personal data can be judged the same, since it imposes stricter rules for EU personal data.

It is difficult to find definitive answers to these questions as for the moment there are no decisions by the responsible trade law bodies, such as the arbitration body of the World Trade Organization (WTO) clarifying the interaction between free flow of data clauses and data transfer rules.123 Academic literature seems to be divided. Miyashita for example points out that the APPI has more than one option for data transfers, also for onward transfers of EU data, suggesting that they are not restrictions.124 Yakovleva on the other hand concludes that transfer rules and, in particular, the specific rules for EU personal data of Japan would be deemed a restriction and based on existing WTO case law interpreting exceptions to trade agreement, she warrants that such restrictions could not be justified.125

The DTA is not the only free trade agreement Japan has taken part in with a free data flows clause. The Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP),126 a trade agreement between Japan, Australia, Brunei, Canada, Chile, Malaysia, New Zealand, Peru, Singapore, and Vietnam, includes a similar provision.127 The CPTPP goes even a step further than the DTA and includes an enforcement system.

The European Commission in its review of the Japan adequacy decision notes that the PPC had notified it about the conclusion of various trade agreements with free flow of data clauses, and that according to the PPC these would not affect the regime for transfers under the adequacy decision.128 The Commission seems to accept this explanation.129

It is in this context also noteworthy, that the European Commission has itself reopened the trade agreement with Japan in order to possibly include a free flow of data clause, which was finalized in October 2023.130 It is not apparent how this clause interacts with the adequacy decision. The text of the new clause seems to determine that both Japan and the EU can maintain their data transfer rules to safeguard personal data protection as long as there are ‘conditions of general application’ allowing the transfers to go ahead under certain circumstances.131 This suggests that the mutual adequacy decisions between Japan and the EU are covered, as both of them are of broad horizontal application and could therefore be understood as forming ‘conditions of general application’. As long as the adequacy decisions are in place, the additional clause appears therefore of mostly symbolic value, as personal data transfers are still regulated with the adequacy regime.

Conflicts and opportunities in the Japanese approach

At a first glance, Japan appears to have created a data protection regime within the APPI that allows for both transfers to the EU and the US. This would be a remarkable feat considering the difficulties the EU and the US have to arrange for lawful transfers of personal data between their jurisdictions, most visible in the two annulled adequacy decisions for the US.

The philosophy behind the Japanese approach is captured by the ‘Data Free Flow with Trust’ (DFFT) initiative, which Japan first introduced at the World Economic Forum in 2019, when it was leading the G20.132 The concept has since been floated around at various policy levels, without anyone being too precise about what it exactly entails and especially how the DFFT will work compared with existing approaches.133 From existing documents, it appears that the core idea of the DFFT is that data flows are beneficial for society (especially for the global economy) and that they therefore should take place with certain safeguards.134 Both the US and the EU have voiced public support for the DFFT approach.135 If the Japanese rules are taken as a manifestation of the DFFT, then there appears to be widespread support for the Japanese approach on data transfers.

Contradictions and conflicts in the Japanese approach towards international personal data transfers

First glances can be misleading, however, as all is not well with the way the APPI is governing data transfers.

For data transfers to the EU, clouds on the horizon emerge from some of the doubts existing on whether the EU’s adequacy decision for Japan would withstand a test in front of the CJEU.136 It is true that the invalidity of the Japan adequacy decision would not affect automatically the validity of the PPC’s finding of adequacy for the EU. However, it would throw a significant curveball into the EU–Japan personal data exchanges. Admittedly, the European Commission has just afforded the Japan adequacy decision a clean state of health and even announced plans to extend its scope to the public sector in Japan.137 This might create the impression that the adequacy decision for Japan is here to stay. Yet, considering that the European Commission did the same in each of the annual reports of the Privacy Shield—the adequacy decision for the US, which after 4 years was annulled by the CJEU—some scepticism on its assessment of Japan might be justified.138 It might therefore well be that a future decision of the CJEU draws out the carpet under the current arrangement between the EU and Japan, at least from the EU side.

The provisions on onward transfers provided by the Supplementary Rules of the adequacy decision raise potential contradictions with Japan’s trade commitments as well. Japan attempts to treat EU personal data better than any other personal data including personal data relating to Japanese residents, and operates with stricter rules for the onward transfer of such data. As proposed by Yakovleva, this might conflict with for example its free data flow clause with the US.139 The ‘interoperability’ of the Japanese data transfer approach with the system of the EU built on the APPI and its trade commitments appears therefore on shaky grounds.

In their paper ‘Privacy and/or Trade’, Chander and Schwartz consider Japan a typical example of the current conflict between trade and data protection rules.140 For them, the patchwork of transfer and trade rules negatively affects especially the opportunities of small companies from the world’s poorest economies to actively participate in global trade and thereby prevents them from benefiting from the internet.141 The current system, according to their argument, further increases the power of big companies, including big technology companies, who have the knowledge and resources to deal with the resulting complexity.142 These companies are already favoured by the ‘managerialization’ of data protection, as discussed by Waldman.143

Against this background, the Japanese approach appears as too unstable to be the one to follow, since its success is dependent on an absence of legal challenges either in the EU or in front of the trade agreement dispute bodies.

Opportunities

Yet, not all is lost for the Japanese vision for data transfers, since the existing problems seem not beyond remediation. With its most recent reforms of the APPI, Japan has already raised its level of protection for all personal data significantly. The more it does so, the less likely it is that the decision will be felled for fundamental rights concerns by the CJEU. The conflict between its trade agreements and its transfer rules in the APPI hinges on whether trade law would allow the data transfer rules under its exceptions. This is not clear in the absence of a definitive decision of a trade arbitration body, such as the WTO panel. The European Commission and Japan seem to see no issue for the moment.

Since the conflicts appear solvable, the question remains whether the Japanese approach with its differing rules depending on the origin of the data can provide a meaningful contribution to the international debate on data flows. Following Chander and Schwartz, the answer appears to be still no, as their rules contribute to the complexification and fragmentation of data transfer rules around the globe.144

Chander and Schwartz’ argument is built on the premise that fragmentation of rules as it occurs for transfers in a country like Japan that is running different approaches for different jurisdictions is inherently negative because it is too complex and fragmented. This premise can be questioned. It is true that fragmented and complex rules are more difficult to comprehend and as a consequence less straightforward to apply, especially for those with less resources, such as smaller companies as noted by the authors.145 This does not, however, allow for the automatic conclusion that complexity and fragmentation in law needs to be avoided at all costs and consequently that the current approach within Japanese law is not working.146

Technology regulation is and will always be complex as both overly specific and overly broad rules need to be avoided, while the problems to tackle are difficult and far-ranging.147 The issue of international data transfers is, as observed by Chander and Schwartz, one that is being discussed since the 1980s.148 It poses a significant challenge as on the one hand, any protection for individuals for personal data would be lost immediately if no transfer rules are put in place due to the ease in which data can be copied and moved.149 On the other hand, data flows are crucial for information flows, which arguably form the backbone of not only the economy but also research and the global exchange of ideas, which are both also values protected in most human rights frameworks.150 The regulatory solution found to this conundrum is for many countries a carefully calibrated approach trying to balance various diverging interests, such as fundamental rights and trade. Such a solution was first put forward in the OECD Privacy Guidelines, and as noted by Chander and Schwartz, can now be found in 65 jurisdictions across the globe.151

There is no legally binding global standard on how to balance fundamental rights, such as privacy and personal data protection, and policy interests such as trade.152 Most fundamental rights are not absolute.153 However, trade by itself might not always be capable of justifying an interference (the CJEU in the EU has already dismissed economic interests as a policy objective capable of justifying limitation to privacy and data protection as safeguarded in the EU Charter).154 Still, trade is not always clearly separable from fundamental rights or fundamental rights interests. Within the EU for example there is recognition for the fundamental right to conduct a business.155 In an ideal world, countries would come together and agree on a global standard for the fundamental rights protection surrounding personal data in the form of an international agreement, or even, as proposed by Chander and Schwartz, in the auspices of the WTO156 (although whether a trade forum is the appropriate one for negotiating fundamental rights can be questioned).157 Complexity and a certain level of fragmentation seem to be a by-product of the absence of a global agreement on how to approach personal data.

Such a global agreement will be difficult in light of the different interests at stake.158 As we discuss in this article, approaches differ radically between the EU’s fundamental rights approach and the US’s free flow of data idea. From the perspective of fundamental rights, international data flows are a question of balancing between different protected interests, including privacy and the freedom of information. Even within Europe, where there is a long history of balancing fundamental rights in the context of personal data processing,159 the outcome of such balancing is very case-dependent, and there is room for regional variations. In a case on the right to be forgotten, the CJEU found that the EU cannot impose its balance of fundamental rights on a global scale.160 At the same time, the CJEU did insist on the protection of EU data subjects for data transfers to the US, using as a yardstick the requirements of the EU Charter.161

Approaches to data transfers such as the one found in the APPI (imperfectly for the moment) walk the line between the differing demands while at the same time expressing the constitutional balance based on various fundamental rights found in Japan for the protection of personal data. Complexity and fragmentation are the price for this, but perhaps from the perspective of fundamental rights, still one worth paying.

Complexity and fragmentation could also be seen as ‘friction-by-design’ within laws.162 ‘Friction-by-design’ in human–computer interface development is a concept that describes design that purposefully creates moments of friction in order to allow for time for reflection.163 Adapting this to a regulatory context, complexity and fragmentation, as long as they are still manageable, could be seen as allowing for such reflection (by-design). After all, operators in Japan will have to pause and assess what personal data will be transferred to where and how to best manage this. Considering the fundamental rights at stake, such a moment of reflection and careful compliance planning seems a good opportunity to bring lawyers, technology developers and management together to figure out how data protection can be a reality. This does not guarantee that this will then indeed happen, as has been demonstrated by Waldman,164 but it is at least a start.

Moreover, complexity and fragmentation can be managed.165 It is in this management that important lessons can be drawn from the Japanese data transfer approach. First, Japan offers comprehensive guidance on transfers, that it regularly updates to reflect developments (something not happening for much of the guidance within the EU of relevance for data transfers).166 Secondly, Japan regularly reviews its data transfer provisions as seen in the recent reforms of 2020 and 2021 and adapts the law to regulatory best practice, such as that in the Supplementary Rules in terms of transfers.167 Finally, Japan offers evaluations of third countries to assist operators in their assessments. The PPC’s website hosts 35 country assessments at the time of writing, where further analysis on specific territories or legislations in that country is offered.168 These all appear useful (and in the case of the third country assessments) innovative measures to ensure that operators are able to navigate the complex framework that is the Japanese data transfer regime.

Conclusion

The Japanese approach to international personal data transfers is certainly complex. It builds on four alternating options to justify an international data transfer regulated in different layers of data protection legislation. For data transfers to the EU, the system is furthered by an additional layer, provided by the EU adequacy decision for Japan, supplemented by the Supplementary Rules. Japan thus treats EU personal data differently from all other personal data. At the same time, Japan is pursuing a Data-Free-Flow-with-Trust approach by increasingly relying on trade agreements to ensure free flow of personal data with other jurisdictions, for example with the US.

The multiple objectives and avenues for data transfer regulation in Japan are not without contradiction. In particular, its trade agreements with the US and other trading partners might conflict with its transfer arrangement for the EU, which in itself could be on shaky grounds from an EU perspective, but also from the viewpoint of international trade law. All is therefore not well for data transfers originating from Japan.

Nevertheless, this does not mean that Japan cannot provide some ideas on how differing demands on data flows may be reconciled within one legal system. Japan’s transfer rules are complex, but this may be a logical consequence of the difficulties that come with finding an appropriate policy balance between fundamental rights and trade ambitions. By introducing differing regimes for personal data coming from the EU, and those coming from other countries, Japan gains room to set this balance based on its own constitutional values. In the absence of an international agreement on transfers (and considering the difficulties of such an agreement ever materializing), approaches like the Japanese one might well be the way forward, provided the existing inconsistencies pointed out in this article can be adequately addressed.

Perhaps this is what the ever ethereal ‘data free flow with trust’ concept, currently pushed at the global policy level, refers to: a world in which each states find its own balance based on their constitutions for data transfers, while creating enough opening clauses for data exchanges with other legal systems. This is not necessarily a world of seamless data flows, but rather one where friction creates room for reflection on what fundamental rights need to be protected in what manner for global data flows.

Footnotes

1

Commission Implementing Decision (EU) 2019/419 on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information [2019] OJ L76/1, art 1 (hereinafter referred to as ‘Japan adequacy decision’).

2

See eg, Comprehensive and Progressive Agreement for Trans-Pacific Partnership [8 March 2018], art 14.11 (hereinafter referred to as ‘CPTPP’); Agreement between the United Kingdom and Northern Ireland and Japan for a Comprehensive Economic Partnership [5 November 2020], art 8.84 (hereinafter referred to as ‘Japan-UK CEPA’); and Regional Comprehensive Partnership Agreement [24 August 2022], art 12.15 (hereinafter referred to as ‘RCEP’).

3

Agreement between the United States of America and Japan concerning digital trade [2019], art 11 (hereinafter referred to as ‘US–Japan DTA’).

4

See further Svetlana Yakovleva, ‘Can Japan have the Best of Both Worlds? An EU Adequacy Decision Meets the Free Data Flow Provisions in CPTPP and USJDTA’ (Digital Trade Alliance 2023) <https://dtalliance.org/2023/02/14/can-japan-have-the-best-of-both-worlds-an-eu-adequacy-decision-meets-the-free-data-flow-provisions-in-cptpp-and-usjdta/> accessed 20 December 2023.

5

The divergences between the EU’s and the US’s approach towards privacy and the protection of personal data have been long discussed in academic literature. See in particular James Q Whitman, ‘The Two Western Cultures of Privacy: Dignity versus Liberty’ (2004) 113 Yale Law Journal 1151; Paul M Schwartz, ‘The EU-U.S. Privacy Collision: A Turn to Institutions and Procedures’ (2013) 126 Harvard Law Review 1966.

6

Maximillian Schrems v Data Protection Commissioner, Case C-362/14, [2015] (ECLI:EU:C:2015:650), para 73 (hereinafter referred to as ‘C-362/14 Schrems I’); Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, Case C-311/18, [2020] (ECLI:EU:C:2020:559), paras 170, 171, 186, and 187 (hereinafter referred to as ‘C-311/18 Schrems II’).

7

Anupam Chander and Paul Schwartz, ‘Privacy and/or Trade’ (2023) 90 The University of Chicago Law Review 49, 85.

8

See in particular Svetlana Yakovleva, ‘Scope and Applicability of Free Data Flow Exceptions in US-Japan Digital Trade Agreement and the CPTPP’ (Report for the Digital Trade Alliance 2023) 37–38.

9

Ibid. See further Chander and Schwartz (n 7).

10

See eg, John M Eger, ‘Emerging Restrictions on Transnational Data Flows: Privacy Protection or Non-tariff Trade Barriers. Law and Policy in International Business’ (1978) 10 Law & Policy in International Business 1055; Eric J Novotny, ‘Transborder Data Flow Regulation: Technical Issues of Legal Concern’ (1981) 3 Computer/Law Journal 105; Ved P Nanda, ‘The Communication Revolution and the Free Flow of Information in a Transnational Setting’ (1982) 30 The American Journal of Comparative Law 411; Craig T Beling, ‘Transborder Data Flows: International Privacy Protection and the Free Flow of Information’ (1983) 6 Boston College International & Comparative Law Review 591; Christopher Kuner, Transborder Data Flows and Data Privacy Law (OUP, Oxford 2013); Anu Bradford, The Brussels Effect: How the European Union Rules the World (OUP 2020); Chander and Schwartz (n 7).

11

See eg, Frits W Hondius, ‘Data Law in Europe’ (1980) 16 Stanford Journal of International Law 87; Fred H Cate, ‘The EU Data Protection Directive, Information Privacy, and the Public Interest’ (1995) 80 Iowa Law Review 431; W Kuan Hon and Christopher Millard, ‘Data Export in Cloud Computing—How Can Personal Data be Transferred Outside the EEA? The Cloud of Unknowing, Part 4’ (2012) 9 SCRIPT-ed 25 (reference removed to preserve anonymity of the authors).

12

See eg, Allan Gottlieb, Charles Dalfen and Kenneth Katz, ‘The Transborder Transfer of Information by Communications and Computer Systems: Issues and Approaches to Guiding Principles’ (1974) 68 The American Journal of International Law 227; Henry Farrell and Abraham L Newman, of Privacy and Power—The Transatlantic Struggle Over Freedom and Security (Princeton University Press, Princeton, USA 2019).

13

‘Act on the Protection of Personal Information’ available in English at <https://www.japaneselawtranslation.go.jp/en/laws/view/4241/en> accessed 20 December 2023 (hereinafter referred to as ‘APPI 2021’).

14

See Hiroshi Miyashita, ‘EU-Japan Mutual Adequacy Decision’ (Blog Droit Européen, June 2020) <https://blogdroiteuropeen.files.wordpress.com/2020/06/miyashita-redo.pdf> 3–5, accessed 20 December 2023.

15

See for an overview of the developments Commission (EC), ‘Commission Staff Working Document accompanying the document: Report from the Commission to the European Parliament and the Council on the first review of the functioning of the adequacy decision for Japan’ SWD (2023) 75 final, 3 April 2023, 2–4 (hereinafter referred to as ‘EC 2023B’).

16

Compare Amended Act on the Protection of Personal Information (30 May 2017), available in English at <https://www.ppc.go.jp/files/pdf/Act_on_the_Protection_of_Personal_Information.pdf> accessed 20 December 2023 (hereinafter referred to as ‘APPI 2017’), to Amended Act on the Protection of Personal Information (revision of 12 June 2020), available in English translation at <https://www.ppc.go.jp/files/pdf/APPI_english.pdf> accessed 20 December 2023 (hereinafter referred to as ‘APPI 2020’), and APPI 2021 (n 13).

17

The Constitution of Japan [Nihonkoku Kenpo] (promulgated on 3 November 1946), available in English <https://japan.kantei.go.jp/constitution_and_government_of_japan/constitution_e.html> accessed 20 December 2023.

18

See judgments by: (i) the Tokyo District Court on 28 September 1964 [東京地判昭和39年9月28日 下民集15巻9号2317頁]; (ii) the Supreme Court of Japan (Grand Bench) on 24 December 1969 [最大判昭和44年12月24日 刑集23巻12号1625頁]; (iii) the Supreme Court of Japan on 14 April 1981 [最判昭和56年4月14日 民集35巻3号620頁]; (iv) the Supreme Court of Japan on 5 September 1995 [最判平成7年9月5日 判時1546号115頁]; (v) the Supreme Court of Japan on 15 December 1995 [最判平成7年12月15日 刑集49巻10号842頁]; (vi) the Supreme Court of Japan on 6 March 2008 [最判平成20年3月6日 民集62巻3号665頁]; (vii) the Supreme Court of Japan on 31 January 2017 [最決平成29年1月31日 判タ1434号48頁]; and (viii) the Supreme Court of Japan (Grand Bench) on 15 March 2017 [最大判平成29年3月15日 裁時1672号1頁].

19

The Constitution of Japan (n 17) art 13 (‘All of the people shall be respected as individuals. Their right to life, liberty, and the pursuit of happiness shall, to the extent that it does not interfere with the public welfare, be the supreme consideration in legislation and in other governmental affairs.’).

20

Ibid, art 21 (‘(1) Freedom of assembly and association as well as speech, press and all other forms of expression are guaranteed; (2) No censorship shall be maintained, nor shall the secrecy of any means of communication be violated.’).

21

The Telecommunications Business Act, art 179 (‘(1) A person that has violated the secrecy of communications handled by a telecommunications carrier (…) is subject to not more than two years or a fine of not more than one million yen; (2) A person engaging in telecommunications business (…) that has undertaken the act set forth in the preceding paragraph is subject to imprisonment for not more than three years or a fine of not more than two million yen.’).

22

Judgment by the Tokyo District Court on 30th April 2002 [東京地裁平成14年4月30日判決].

23

The Constitution of Japan (n 17) art 35 (‘(1) The right of all persons to be secure in their homes, papers and effects against entries, searches and seizures shall not be impaired except upon warrant issued for adequate cause and particularly describing the place to be searched and things to be seized, or except as provided by Article 33; (2) Each search or seizure shall be made upon separate warrant issued by a competent judicial officer.’).

24

Judgment of the Supreme Court of Japan (Grand Bench) on 15 March 2017.

25

Kojin joho no hogo ni kansuru houritsu sekourei [個人情報の保護に関する法律施行令] <https://elaws.e-gov.go.jp/document?lawid=415CO0000000507> accessed 22 December 2023. The English translation is the Cabinet Order to Enforce the Act on the Protection of Personal Information <https://www.ppc.go.jp/files/pdf/Cabinet_Order.pdf> accessed 22 December 2023 (hereinafter referred to as Cabinet Order 2016). This English translation is, however, a previous version, which was put into full effect on 30 May 2017. The latest version, which went into effect on 1 April 2023, is only available in Japanese.

26

Kojinjoho no hogoni kansuru houritsu sekou kisoku [個人情報の保護に関する法律施行規則] <https://elaws.e-gov.go.jp/document?lawid=428M60020000003> accessed 22 December 2023. The English translation is the Enforcement Rules for the Act on the Protection of Personal Information (hereinafter referred to as Enforcement Rules), <https://www.ppc.go.jp/files/pdf/PPC_rules.pdf> accessed 22 December 2023. For clarity, please note that these rules are referred to as Order of the Personal Information Protection Commission in the APPI or simply Order in some of their English documents (eg, in the Supplementary Rules). This article, however, uses Enforcement Rules for the purpose of clarity.

27

Kojinjoho no hogoni kansuru houritsuni kakawaru EU oyobi Eikoku ikinaikara jubunsei ninteiniyori itenwo uketa kojin detano toriatukaini kansuru hokanteki ruru [個人情報の保護に関する法律に係るEU及び英国域内から十分性認定により移転を受けた個人データの取扱いに関する補完的ルール] <https://www.ppc.go.jp/files/pdf/Supplementary_Rules_jp.pdf> accessed 22 December 2023. The English translation is the Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU and the United Kingdom based on an Adequacy Decision (hereinafter referred to as Supplementary Rules) <https://www.ppc.go.jp/files/pdf/Supplementary_Rules_en.pdf> accessed 22 December 2023.

28

National Government Organization Act, art 12.

29

Kojinjoho no hogoni kansuru houritsu ni tsuiteno gaidorain (Tsusoku hen) [個人情報の保護に関する法律についてのガイドライン(通則編)] <https://www.ppc.go.jp/files/pdf/230401_guidelines01.pdf> accessed 22 December 2023. While the authority does not provide an English translation of these guidelines, the English title would be The Guidelines for the Act on the Protection of Personal Information (Volume on General Rules) [referred to as Guidelines on General Rules].

30

Kojinjoho no hogoni kansuru houritsu ni tsuiteno gaidorain (Gaikokuni aru daisansyaheno teikyohen [個人情報の保護に関する法律についてのガイドライン(外国にある第三者への提供編)] <https://www.ppc.go.jp/files/pdf/220908_guidelines02.pdf> accessed 22 December 2023. The English title would be The Guidelines for the Act on the Protection of Personal Information (Volume on Provision to Third Parties in Foreign Countries) [Referred to as Guidelines on Provision to Third Parties in Foreign Countries].

31

Kojinjoho no hogoni kansuru houritsu ni tsuiteno gaidorain (Daisansya teikyoujino kakunin—kiroku hen) [個人情報の保護に関する法律についてのガイドライン(第三者提供時の確認・記録義務編)] <https://www.ppc.go.jp/files/pdf/220908_guidelines03.pdf> accessed 22 December 2023. The English title would be The Guidelines for the Act on the Protection of Personal Information (Volume on Checking and Recording Obligation at the Time of Provision) [Referred to as Guidelines on Checking and Recording Obligation at the Time of Provision].

32

Kojinjoho no hogoni kansuru houritsu ni tsuiteno gaidorain (kamei kakou jouho—tokumei kakou jouho) [個人情報の保護に関する法律についてのガイドライン(仮名加工情報・匿名加工情報編)] <https://www.ppc.go.jp/files/pdf/220908_guidelines04.pdf> accessed 22 December 2023. The English title would be The Guidelines for the Act on the Protection of Personal Information (Volume on Pseudonymized Personal Information and Anonymized Personal Information) [Referred to as Guidelines on Pseudonymized Personal Information and Anonymized Personal Information].

33

Kojinjoho no hogoni kansuru houritsu ni tsuiteno gaidorain (Nintei kojin joho hogo dantai hen) [個人情報の保護に関する法律についてのガイドライン(認定個人情報保護団体編)] <https://www.ppc.go.jp/files/pdf/220908_nintei_dantai_guidelines.pdf> accessed 22 December 2023. The English title would be ‘The Guidelines for the Act on the Protection of Personal Information (Volume on Certified Personal Information Protection Organizations)’ [Guidelines on Certified Personal Information Protection Organizations].

34

Kojinjoho no hogoni kansuru houritsu ni tsuiteno gaidorain (Kojin joho no hogoni kansuru houritunituiteno gaidorain nikansuru Q&A) [「個人情報の保護に関する法律についてのガイドライン」に関するQ&A] <https://www.ppc.go.jp/files/pdf/2304_APPI_QA.pdf> accessed on 22 December 2023. The English title would be ‘Q&A on the Guidelines for the Act on the Protection of Personal Information’ [Referred to as Q&A on the Guidelines].

35

See NTT Data Keiei Kenkyujo, Kunino gyousei kikan ga kouhyoushita gaidorain tou no jittai haakunotameno chosa kenkyu; Material number 8 ‘Gyosei Rippou no Shihou Shinsa’ [NTTデータ経営研究所, 国の行政機関が公表したガイドライン等の実態把握のための調査研究; Material number 8 ‘行政立法の司法審査’] <https://lawcenter.ls.kagoshima-u.ac.jp/shihouseido_content/sihou_suishin/kentoukai/gyouseisosyou/041029matome.html> accessed 22 December 2023. See for a comparison with the EU Linda Senden, Soft Law in European Community Law (Hart Publishing 2004); Archer Daniels Midland, Case T-59/02, [2006], (ECLI:EU:T:2006:272), para 43.

36

APPI 2021 (n 13), art 146 (Reports and On-Site Inspections).

37

Ibid, art 146(1).

38

Ibid, art 146(3).

39

Various provisions and/or sections are excluded to be precise, but they are basically from arts 23 to 43. See ibid, art 148(1).

40

Ibid, art 148(2).

41

Ibid, art 148(3).

42

Ibid, art 148(2).

43

Ibid, art 148(3).

44

The APPI 2021 uses the term Kojin joho toriatsukai jigyousya [個人情報取扱事業者] for Japanese or Businesses Handling Personal Information for English translation. A ‘Businesses Handling Personal Information’ is a person—legal or natural—that uses a personal information database or the equivalent for business. This concept is similar to data controller/processor under the General Data Protection Regulation (GDPR) in a sense that it is the main addressee of the Act. The two concepts are, however, not the same. For example, the distinction between data controller and processor is approached differently under APPI compared to how the GDPR’s approach. This Article uses the term operator to refer to the legal and natural persons in the scope of the obligations of the APPI.

45

Under the APPI 2021, the concept of personal data is slightly complicated. Relevant to this context, there are three concepts under the Act: Kojin joho [個人情報] or personal information; kojin deta [個人データ] or personal data; and Kojin detabesu tou [個人情報データベース等] or personal information database. In a nutshell, to illustrate the difference, a business card is an example of personal information. If multiple records of personal information are stored collectively, for example in a database, then the entire collection is referred to as personal information database. Each record in the database is personal data. These concepts are distinguished mainly because different obligations apply. This article simply refers to as personal data unless the distinction is relevant in the context.

46

The APPI 2021 uses Honnin [本人] or identifiable person, which is equivalent of data subject under the GDPR.

47

APPI 2021 (n 13), art 28(2).

48

Electronically, by documents, or other ways that are appropriate. See Enforcement Rules (n 26), art 17(1).

49

Ibid, art 17(2).

50

APPI 2021 (n 13), art 28(1) and (3); Enforcement Rules (n 26), art 16.

51

APPI 2021 (n 13), art 27(1) stipulates seven cases where operators can provide personal data to third parties without data subject’s prior consent.

52

Enforcement Rules (n 26), art 15.

53

Kojinno kenri riekiwo hogosuru uede wagakunito doutouno suijunni aruto mitomerareru kojinjouhouno hogoni kansuru seidowo yuushiteiru gaikokutou [個人の権利利益を保護する上で我が国と同等の水準にあると認められる個人情報の保護に関する制度を有している外国等] <https://www.ppc.go.jp/files/pdf/210101_h31iinkaikokuji01.pdf> accessed 22 December.

54

The decision (report) was adopted at the 237th Committee meeting of the PPC <https://www.ppc.go.jp/aboutus/minutes/2023/20230322/> accessed 22 December 2023. The original Japanese version of the joint press statement is available at <https://www.ppc.go.jp/files/pdf/230412_shiryou-3-2.pdf> accessed 22 December 2023. The in English version is available at <https://www.ppc.go.jp/files/pdf/230412_shiryou-3-3.pdf> accessed 22 December 2023.

55

APPI 2021 (n 13), art 28(1) and (3).

56

Enforcement Rules (n 26), art 16.

57

Ibid, art 16(1)(i).

58

Guidelines on Provision to Third Parties in Foreign Countries (n 30).

59

Ibid (emphasis added).

60

Enforcement Rules (n 26), art 16(1)(ii).

61

Guidelines on Provision to Third Parties in Foreign Countries (n 30) 38 (emphasis added).

62

Enforcement Rules (n 26), art 18.

63

Guidelines on Provision to Third Parties in Foreign Countries (n 30) 50.

64

More verbatim translation would be ‘check implementation status of ‘equivalent measures’ by the receiving party’.

65

Enforcement Rules (n 26), art 18(1)(i).

66

Ibid, art 18(1)(ii).

67

APPI 2021 (n 13), art 27(1)(i)–(vii).

68

The receiving entity need not to be established in a foreign country. As long as an entity is subject to Japanese data protection law, it needs to comply with these obligations.

69

APPI 2021 (n 13), art 30(1), Enforcement Rules (n 26), art 22.

70

Guidelines on Checking and Recording Obligation at the Time of Provision (n 31).

71

The English translation of the explanation in the Guidelines would be ‘… suspected that the personal data was acquired improperly, but nevertheless received the personal data …’ It should be noted that, in practice and in theory, there is a gap between one ‘suspects improper acquisition’ and ‘has reasons to believe it was improper acquisition’ and so forth. Thus, it is not clear if simply suspecting improper acquisition can trigger the receiving party to be found violating art 20(1).

72

The GDPR applies to the EEA, which encompasses in addition to all the EU Member States also the Iceland, Liechtenstein, and Norway. For this article, the term EU also includes the EEA Member States unless explicitly indicated otherwise.

73

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1, art 45 (hereinafter referred to as ‘GDPR’). See further Japan adequacy decision (n 1); Hitomi Iwase, ‘Overview of the Act on the Protection of Personal Information’ (2019) 5 European Data Protection Law Review, 92, 97; Miyashita (n 14) 1.

74

Guidelines on Provision to Third Parties in Foreign Countries (n 30) 10–11.

75

EC 2023B (n 15) 23.

76

The European Commission therefore considers the EU-Japan region as ‘the world’s largest area of free and safe data flows’. See European Commission and Personal Information Protection Commission, ‘Joint Press Statement on the conclusion of the first review of the Japan-EU mutual adequacy arrangement’ (4 April 2023) <https://commission.europa.eu/news/joint-press-statement-conclusion-first-review-japan-eu-mutual-adequacy-arrangement-2023-04-04_en> accessed 20 December 2023.

77

Japan adequacy decision (n 1), art 1(1).

78

See EC PPC Joint Press Statement 2023 (n 76).

79

Japan adequacy decision (n 1), rec. 4. See further Eticas, ‘EUJUS FLOW—A strategic approach to tracking international cross-border data flows across the EU-Japan and the US’ (Report for the Digital Trade Alliance 2023) 3–4.

80

Japan adequacy decision (n 1) Annex I and Annex II.

81

Ibid.

82

See further, Yakovleva (n 8) 9–10.

83

Commission, ‘Report from the European Commission to the European Parliament and the Council on the first review of the functioning of the adequacy decision for Japan’ COM (2023) 275, 3 April 2023; Personal Information Protection Commission, ‘個人情報の保護に関する法律第28条に基づくEU及び英国の指定の見直しに関する報告書’(22 March 2023), 個人情報の保護に関する法律第 2 8 条に基づくEU及び英国 の指定 の見直し に関する 報告書-個人情報保護委員会 (ppc.go.jp), accessed 20 December 2023.

84

See eg, European Data Protection Board, ‘Opinion 28/2018 regarding the European Commission Draft Implementing Decision on the adequate protection of personal data in Japan’ (5 December 2018) (hereinafter referred to as ‘EDPB 2018’); European Parliament, ‘Adequacy of the Protection of Personal Data Afforded by Japan’ (P8_TA(2018)0529, 13 December 2018); Miyashita (n 14).

85

EDPB 2018 ibid 19–21.

86

APPI 2021 (n 13), art 27.

87

Charter of Fundamental Rights of the European Union, OJ 2010 C 83/389.

88

C-362/14 Schrems I (n 6), para 73; Opinion 1/15, Opinion of 26 July 2017 (Grand Chamber) [2017], (ECLI:EU:C:2017:592), paras 133–141; and C-311/18 Schrems II (n 6), paras 170, 171, 186, and 187.

89

Miyashita reports on a study of the PPC which shows that for example 39.7 per cent of all personal data received from the EU by Japanese operators is transferred further to the US. See Hiroshi Miyashita, ‘The Japanese Regulations on Data Transfer Toward Data Free Flow with Trust’ (Report for the Digital Trade Alliance 2023) 8–9.

90

See for an overview of these options Figure 2.

91

APPI 2021 (n 13), art 28(2).

92

Ibid, art 28(3). See further Guidelines on Provision to Third Parties in Foreign Countries (n 30) 46–54.

93

Guidelines on Provision to Third Parties in Foreign Countries (n 30) 47 (Case 1 as translated by the Digital Trade Alliance).

94

European Data Protection Board, ‘Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’ (Version 2.0, 18 June 2021) (hereinafter referred to as ‘EDPB 2021’).

95

C-311/18 Schrems II (n 6) para 133. The CJEU based this finding on art 44 GDPR, which requires as an overarching objective for all transfer under the GDPR that ‘the level of protection of natural persons guaranteed’ by the GDPR ‘is not undermined’. See further EDPB 2021 ibid (reference removed to preserve anonymity of the authors).

96

C-362/14 Schrems I (n 6), para 106; C-311/18 Schrems II (n 6), paras 200–202.

97

Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (7 October 2022).

98

Ibid, s 2.

99

Ibid, s 3.

100

Commission Implementing Decision EU 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework [2023] OJ L231/118 (hereinafter referred to as ‘DPF’).

101

EO 2022 (n 97), s 3(f).

102

Ibid.

103

A search of the Diet’s meeting minutes did not reveal any discussion of the Executive Order beyond a brief introduction of its content. It therefore appears that for the moment this is not discussed from a Japanese perspective in any official channels.

104

Guidelines on Provision to Third Parties in Foreign Countries (n 30) 13–14.

105

Organisation for Economic Cooperation and Development, ‘Annex to the recommendation of the Council of 23 September 1980: Guidelines governing the protection of privacy and transborder flows of personal data’ (23 September 1980); Organisation for Economic Cooperation and Development, ‘Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data’ (11 July 2013).

106

Asia-Pacific Economic Cooperation, ‘APEC Privacy Framework’ (2015).

107

The list can be found here <https://www.ppc.go.jp/enforcement/infoprovision/laws/accessed> accessed 20 December 2023 (only in Japanese).

108

Ibid.

109

For the assessment of the US see here: <Foreign System (United States) |Personal Information Protection Commission (ppc.go.jp)> accessed 22 December 2023.

110

Guidelines on Provision to Third Parties in Foreign Countries (n 30) 12, 14, 36, and 40.

111

Asia-Pacific Economic Cooperation, ‘APEC Cross-Border Privacy Rules System—Policies, Rules and Guidelines’ (updated as of November 2019). See further Asia Pacific Economic Cooperation, ‘What is the Cross-Border Privacy Rules System’ (October 2021) <https://www.apec.org/About-Us/About-APEC/Fact-Sheets/What-is-the-Cross-Border-Privacy-Rules-System> accessed 20 December 2023.

112

EC 2023B (n 15) 22.

113

Ibid. The APEC CBPR system has already been found incompatible with the Data Protection Directive (DPD), the GDPR’s predecessor by the EU data protection authorities. See art 29 Working Party, ‘Opinion 02/2014 on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the EU and Cross Border Privacy Rules submitted to APEC CBPR Accountability Agents’ (WP 212, 27 February 2014). Ever since the adoption of the adequacy decision, there was a discussion on whether the APEC CBPR system could still be used for EU personal data, considering that from the perspective of the APPI as discussed in 'International data transfer under Japanese data protection law’ section, they are considered an equivalent measure for either the exporting or importing operator. The guidance of the PPC does, as noted by the European Commission in their evaluation, not explicitly clarify that the APEC CBPR system is not suitable for data coming from the EU.

114

U.S. Department of Commerce, ‘Global Cross-Border Privacy Rules Declaration’ (22 April 2022) <https://www.commerce.gov/global-cross-border-privacy-rules-declaration> accessed 20 December 2023. See further U.S. Department of Commerce, ‘Statement by Commerce Secretary Raimondo on Establishment of the Global Cross-Border Privacy Rules (CBPR) Forum’ (21 April 2022) <https://www.commerce.gov/news/press-releases/2022/04/statement-commerce-secretary-raimondo-establishment-global-cross-border> accessed 20 December 2023; Graham Greenleaf, ‘Global CBPRs: A Recipe for Failure?’ (2022) 177 Privacy Laws & Business International Report 11. The European Commission in its review of Japan’s adequacy already made clear that also these global CBPR will not cut it from an EU’s perspective. EC 2023B (n 15) 23.

115

Greenleaf ibid 2. Miyashita reports that according to a study by the PPC no onward transfer from EU personal data to the US has of yet been based on the APEC CBPR system. See Miyashita (n 89) 8.

116

US–Japan DTA (n 3).

117

Ibid, art 11(2).

118

Ibid, art 1(dd).

119

Yakovleva (n 8) 12.

120

Ibid.

121

Yakovleva observes that such a business context would probably be understood broadly. Ibid 12–13.

122

US–Japan DTA (n 3), art 11(2).

123

Yakovleva (n 8) 14–16.

124

Miyashita (n 89).

125

Yakovleva (n 8).

126

CPTPP (n 2). The CPTPP emerged from the Trans-Pacific Partnership (TPP) a trade agreement where the US was supposed to take part in but which was never adopted due to its withdrawal.

127

Compare art 14(11) to art 11(1) US–Japan DTA (n 3). Yakovleva observes that the only difference between both clauses seems to be that the DTA is formulated as a negative obligation in contrast to the CPTPP positive obligation. See Yakovleva (n 8) 12.

128

EC 2023B (n 15) 23.

129

Ibid 24.

130

EU and Japan, ‘Protocol amending the agreement between the European Union and Japan for an Economic Partnership’ (28 October 2023) <https://www.mofa.go.jp/mofaj/files/100615101.pdf> accessed 20 March 2024); European Commission, ‘EU and Japan conclude landmark deal on cross-border data flows at High-Level Economic Dialogue’ (28 October 2023) <https://ec.europa.eu/commission/presscorner/detail/en/ip_23_5378> accessed 20 March 2024. See further Commission, ‘Recommendation for a Council Decision authorising the opening of negotiations for the inclusion of provisions on cross-border data flows in the Agreement between the European Union and Japan for an Economic Partnership’ COM (2022) 336 final, 12 July 2022; and Commission, ‘Annex to Recommendation for a Council Decision authorising the opening of negotiations for the inclusion of provisions on cross-border data flows in the Agreement between the European Union and Japan for an Economic Partnership’ COM (2022) 336 final, 12 July 2022; European Data Protection Supervisor, ‘Opinion 17/2022 on the Recommendation for a Council Decision authorising the opening of negotiations for the inclusion of provisions on cross-border data flows in the Agreement between the European Union and Japan for an Economic Partnership’ (9 August 2022) 2–6.

131

EU–Japan data flow clause (n 130), art 8.81(4). FN1 to this clause defines ‘conditions of general application’ as ‘conditions formulated in objective terms that apply horizontally to an unidentified number of economic operators’.

132

World Economic Forum, ‘White paper: Data Free Flow with Trust (DFFT): Paths towards Free and Trusted Data Flows’ (May 2020) (hereinafter referred to as ‘WEF 2020'). See further Miyashita (n 89).

133

Greenleaf (n 114).

134

WEF 2020 (n 132).

135

EC 2023B (n 15) 2; David G Litt and A Reid Monroe Sheridan, ‘The US-Japan Digital Trade Agreement and “Data Free Flow with Trust”’ (Asia Law Institute, 3 February 2022) <https://usali.org/usali-perspectives-blog/the-us-japan-digital-trade-agreement-and-data-free-flow-with-trust> accessed 20 December 2023.

136

See for some details on these doubts the ‘Personal data transfers from Japan to the EU’ section.

137

EC 2023A (n 83); EC 2023B (n 15).

138

See the reviews of the Privacy Shield by the European Commission. See Commission (EC), ‘Report from the Commission to the European Parliament and the Council on the first annual review of the functioning of the EU-U.S. Privacy Shield’ COM (2017) 611 final, 18 October 2017; Commission (EC), ‘Report on the second annual review of the functioning of the EU-U.S. Privacy Shield’ COM (2018) 860 final, 19 December 2018; and Commission (EC), ‘Report on the third annual review of the functioning of the EU-U.S. Privacy Shield’ COM (2019) 495 final, 23 October 2019.

139

Yakovleva (n 8).

140

Chander and Schwartz (n 7) 94.

141

Ibid 80.

142

Ibid.

143

Ari Ezra Waldman, Industry Unbound: The Inside Story of Privacy, Data and Corporate Power (CUP, Cambridge, United Kingdom 2021).

144

Chander and Schwartz (n 7) 80.

145

Ibid.

146

Ibid 120–25.

147

See on the difficult relationship between law and technology for example Lawrence Lessig, Code and Other Laws of Cyberspace (Basic Books, New York City, USA 1999); Mireille Hildebrandt, ‘A vision of Ambient Law’ in Roger Brownsword and Karen Young (eds), Regulating Technologies: Legal Futures, Regulatory Frames and Technological Fixes (Hart Publishing, New York City, USA 2008), 175–92; Bart-Jaap Koops, ‘Criteria for Normative Technology: The Acceptability of ‘Code as Law’ in Light of Democratic and Constitutional Values’ in Roger Brownsword and Karen Young (eds), Regulating Technologies: Legal Futures, Regulatory Frames and Technological Fixes (Hart Publishing, New York City, USA 2008) 157–74; Karen Yeung, ‘Towards an Understanding of Regulation by Design’ in Roger Brownsword and Karen Young (eds), Regulating Technologies: Legal Futures, Regulatory Frames and Technological Fixes (Hart Publishing, New York City, USA 2008) 79–108; and Karen Yeung and Lee A Bygrave, ‘Demystifying the Modernized European Data Protection Regime: Cross-disciplinary Insights from Legal and Regulatory Governance Scholarship’ (2022) 16 Regulation & Governance 137.

148

Chander and Schwartz (n 7) 57. See further Eger (n 10); Hondius (n 11); OECD Guidelines (n 105); Novotny (n 10); Nanda (n 10); Beling (n 10).

149

Kuner (n 10); Gloria González Fuster, ‘Un-mapping Personal Data Transfers’ (2016) 2 European Data Protection Law Review 160.

150

WEF 2020 (n 132).

151

Chander and Schwartz (n 7).

152

Kristina Irion, Margot E Kaminski, and Svetlana Yakovleva, ‘Privacy Peg, Trade Hole: Why We (Still) Shouldn’t Put Data Privacy in Trade Law’ (2023) The University of Chicago Law Review Online <https://lawreviewblog-uchicago-edu.libproxy.ucl.ac.uk/2023/03/27/irion-kaminski-yakovleva/> accessed 20 December 2023.

153

Aharon Barak, Proportionality: Constitutional Rights and their Limitations (e-book, CUP 2012).

154

Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, Case C-131/12, [2014] (ECLI:EU:C:2014:317), para 81; Google LLC, venant aux droits de Google Inc v Commission nationale de l’informatique et des libertés (CNIL), Case C-507/17, [2019] (ECLI:EU:C:2019:772), para 45; FT v DW, Case C-307/22, [2023] (ECLI:EU:C:2023:811), para 64.

155

EU Charter (n 87), art 16.

156

Chander and Schwartz (n 7) 120–25.

157

Irion, Kaminski and Yakovleva (n 152).

158

Kuner (n 11).

159

See for an overview Gloria González Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU (Springer, Cham, Switzerland 2014).

160

See C-507/17 Google v CNIL (n 154), paras 64 and 72.

161

C-362/14 Schrems I (n 6), para 73; C-311/18 Schrems II (n 6), paras 170, 171, 186, and 187.

162

Understood here as used by Buenger, to describe friction that intentionally arises because of law. See eg, Michael L Buenger, ‘Friction by Design: The Necessary Contest of State Judicial Power and Legislative Policymaking’ (2009) 43 University of Richmond Law Review 571. This is to be distinguished from the idea that law might require technology to have frictions, developed for example by Frischmann and Benesch. See Brett Frischmann and Susan Benesch, ‘Friction-in-design Regulation as 21st Century Time, Place, and Manner Restriction’ (2023) 25 Yale Journal of Law and Technology 376.

163

Sebastiano Bagnara and Simone Pozzi, ‘Design for Reflection’ (2012) 41 IOS Press 1108.

164

Waldman (n 143).

165

As proposed by Kagan, fragmentation and complexity are not inherently negative, it depends how a legal culture or administration handles them. See Robert A Kagan, ‘Fragmented Political Structure and Fragmented Law’ (2010) 4 Jus Politicum Revue Internationale de Droit Politique 1. Galanter reminds that such management needs to consider the effect on the different parties of the legal system in order to avoid benefitting only those that are already well equipped to handle their legal challenges. See Marc Galanter, ‘Why the “Haves” Come Out Ahead: Speculations on the Limits of Legal Change’ (1974) 9 Law & Society Review 95.

166

Guidelines on Provision to Third Parties in Foreign Countries (n 30).

167

See for the details, the ‘Introduction to Japanese data protection law’ and the ‘International data transfer under Japanese data protection law’ sections.

168

The list can be found here <https://www.ppc.go.jp/enforcement/infoprovision/laws/> accessed 20 December 2023 (only in Japanese).

Acknowledgments

The authors would like to thank the participants of the Privacy Law Scholar Conference (PLSC) 2023 in Boulder and the anonymous reviewer for their insightful and helpful comments. The research of Laura Drechsler was partially funded by the LAGO project (grant agreement 101073951).

This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic-oup-com.libproxy.ucl.ac.uk/pages/standard-publication-reuse-rights)